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We prove a compactness theorem in the context of Hennessy-Milner logic. It is used to derive 
a sufficient condition on modal characterizations for the Approximation Induction Principle to be 
sound modulo the corresponding process equivalence. We show that this condition is necessary 
when the equivalence in question is compositional with respect to the projection operators. 

1 Introduction 

Hennessy-Milner logic [8] is a modal logic for specifying properties of states in a labelled transition 
system (LTS). Rob van Glabbeek 10 uses this logic to characterize a wide range of process semantics 
in terms of observations. That is, a process semantics is captured by means of a sublogic of Hennessy- 
Milner logic; two states in an LTS are equivalent if and only if they make true exactly the same formulas 
in this sublogic. In particular, Hennessy-Milner logic itself characterizes bisimulation equivalence. 

For several process semantics, mainly in the realm of simulation, van Glabbeek introduces three dif- 
ferent modal characterizations (see ||6j Fig. 9]), which differ in their treatment of conjunction. Apart from 
the richest characterizations, which correspond to the canonical process equivalences, there are also Uni- 
tary versions (denoted with a superscript *), which allow only conjunctions over a finite set. Intermediate 
equivalences based on formulas with arbitrary conjunctions but finite depth are considered as well (with 
a superscript ft)). The corresponding equivalences all differ in general LTSs and collapse in the setting 
of image-finite LTSs. An LTS is image-finite if for each state and each action a, there are finitely many 
outgoing a-transitions. Van Glabbeek sketches separate proofs that the modal characterizations capture 
the same process semantics under consideration. These proofs are always almost identical. 

Here we show that given a modal characterization of a process semantics for general LTSs, restricting 
to finite sub-conjunctions produces a modal characterization of the same semantics for image-finite LTSs. 
The only requirement is that the formulas that are thus obtained were already present in the original 
modal characterization. All semantics in the linear time - branching time spectrum [6] have a modal 
characterization that satisfies this requirement, except for completed trace semantics (in case of an infinite 
action set). 

We obtain a similar compactness result for modal characterizations in which formulas have finite 
depth. In this case only infinite conjunctions that have an infinite depth need to be restricted to their finite 
sub-conjunctions. Again, the original and the resulting modal characterization coincide, if the resulting 
formulas were already present in the original modal characterization. The modal characterization of 
completed trace semantics satisfies this property. 

Van Glabbeek uses a version of Hennessy-Milner logic that contains negation (so that disjunction, 
falsum, and [a] (f) need not to be present). However, in that logic the aforementioned result is not so easy 
to obtain. Therefore we first prove the result in a negation-free version of Hennessy-Milner logic. Next 
we show that the result carries over to Hennessy-Milner logic with negation. 
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Next we study the Approximation Induction Principle (AIP) from process algebra which states 
that two processes are equal if they are equal up to any finite depth. It is well-known that this proof prin- 
ciple is sound modulo bisimulation equivalence for image-finite processes [5]. Moreover, it is folklore 
that this soundness result extends to the other equivalences in the linear time - branching time spectrum 
[ 1 ]. We obtain a sufficient condition on the modal characterization of a process equivalence, to guarantee 
that AIP is sound with respect to this equivalence. The result is then linked to the compactness theo- 
rem from the first part. The sufficient condition says that the modal characterization must only contain 
formulas of finite depth. We also show that this is basically a necessary condition: if an equivalence is 
sound modulo AIP, and compositional w.r.t. the projection operators used in the definition of AIP, then it 
can be characterized by a set of finite-depth formulas. 

2 Modal Characterizations for Image-Finite Processes 
2.1 Hennessy-Milner Logic 

A labelled transition system (LTS) consists of a set S of states s, a set A of actions a, and a set of transitions 
s — > s'. An LTS is image-finite if for each s and a, the LTS contains only finitely many transitions s — ► s'. 

Hennessy-Milner logic [8] is a modal logic for specifying properties of states in an LTS. There exist 
several versions of Hennessy-Milner logic. The most general language, as presented in |6j, is denoted 
with HML. Its syntax can be defined with the following BNF grammar: 

<p ::= T | /\(pi | (a)q> | -<p 
iel 

The meaning of the formulas is defined inductively as follows: 

|= T s \= (a)q> 44> 3s' G S (s A s' A s' \= (p) 

s\=Aiei<Pi & Viel(s\=<pi) s^^(p<^s^(p 

There exists a different syntax (see ifTTTl . iflZ I) of Hennessy-Milner logic without negation symbol, de- 
noted with HML + . As we will see later on, its formulas have nice properties which make it easier to 
perform certain proofs. 

::= T | F | /\<fc | \/ \ (a)(j> | [a] <j) 
iel iel 

The meaning of the new formulas is defined below: 

s\£F s\=\f<j>i ^ 3iel(s\=fa) s\=[a]<j) & W eS{s^s r s \=<l>) 
iel 

Observe that we allow quantification over arbitrary sets of indexes /. If we restrict to conjunction and 
disjunction operators over finite sets only, we obtain a language of finite Hennessy-Milner formulas, 
denoted by HML^in or HMLp IN , respectively. 

We define depth of a formula d : HML — > NU {°°} inductively as: 

d(T) = d(f\(pi) = sup{d(q>i) \ i G /} d((a)(p) = 1 + d(<p) d(-<<p) = d(<p) 

iel 

HML FDP and HMLp DP denote sets of formulas of finite depth: HML^ P = {(p G HML^ \ d((p) < °°}. 

A context C[] denotes a formula containing one occurrence of []. The formula C[0] is obtained by 
replacing this occurrence of [] by the formula (j>. It is well-known, and easy to see, that =>• y yields 
C[(j)} => C[y] for all contexts C[] over HML+. 
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2.2 Compactness Results 

In this section, we show that for image-finite processes, an infinite conjunction or disjunction inside 
an HML + formula can be captured by its finite sub-conjunctions or -disjunctions, respectively. These 
results are somewhat reminiscent of the compactness theorem for first-order logic, which states that a set 
of formulas has a model if and only if every finite subset of it has a model. 

In ifTT l there is a result (Lem. 2.8) which implies the proposition below, but only for HMLp IN formu- 
las. Moreover, in [11] no proof is provided for Lem. 2.8. Therefore we include a proof of Prop. [TJ to 
make the current paper self-contained. 

J &in I denotes that J is a finite subset of /. 

Proposition 1 Given an image-finite LTS, s \= C[f\ ieI fa G HML + if and only if s \= C[f\ ieJ fa f° r a ^ 
J Qvm I- 

Proof: (=>) For all J C FIN /, /\,- e/ 0; => Afe/ fa and so c tA;e/ fa => C[/\ ieJ fa . 

(<=) Let s \= C[/\ ieJ fa for all J C FIN /. We apply structural induction on C[] to prove that then s \= 
C[N ie ifa- 

• c[] = []. 

By assumption, s \= <pj for all i € /, so s \= f\ ieI </»,-. 
. CQ = CQ A 

s \= C[f\ ieJ fa for all J C FIN / implies that s \= C'[f\ ieJ fa for all J C FIN /, and s \= f\k e x Wk- By 
induction, the first fact yields s |= C'[f\ ieI fa. Hence s \= C[f\ ieI fa. 

. c[]=c'[]\/y keK¥k . 

If s \= Yko for some 6 K, then clearly s \= C[f\ ieI fa So suppose s \= C'[/\ ieJ fa for all / C nN /. 
Then by induction s \= C'[/\ ieI fa , and so s \= C[/\ ieI (pi] . 

• C[] = (a)C'[]. This is the key case. 

By assumption, s \= (a}C'[/\ ieJ ^i\ for all J C FIN /. So for each J CpjN / there is a state sj such 
that s —> sj and sj \= C[/\ ieJ fa. Since s is image-finite, {sj \ J C FIN /} is finite, say {sj [ , . . . ,sj m }. 
Suppose, towards a contradiction, that sj k \£ C'[f\ ieI fa for all k = 1, . . . ,m. Then by induction, 
for all k = 1,. . . ,m, sj k \£ C'[f\ ieKk fa for some K k C FIN /. This implies that, for all k = 1, . . . ,m, 
sj k y= C'[A™ = i AieKf fa- This contradicts the fact that *uf_jJQ G {$Ji , ■ ■ ■ i s J,„}- We conclude that 
s J ko H c '[Aieifa for some koe{l,.. .,m}. Hence s \= (a)C'[f\ ieI fa. 

• C[] = [a] CD. 

Let 5 — > s'. By assumption, j' |= C'fAie/^] for all 7 C FIN /. So by induction, s' \= C f [/\ ieI (j)i\. 
Hence s \= [a] C'[/\ ieI fa. 

□ 

It is easy to see that Prop.[TJfails for LTSs that are not image-finite. A counterexample is given at the 



end of Sect. 2.3 Namely, in that example, the top state at the left does not satisfy (a) (Ai!eN( a ) n ~0, while 
it does satisfy {a)(/\ neM (a) n T) for any M C f/W N. 

There is a counterpart of Prop. [TJ for disjunction instead of conjunction. To derive this lemma imme- 
diately from Prop.[T] we introduce an operator that, given a formula in HML + , yields a formula equiva- 
lent to its negation within HML + . Given a </> G HML + , the formula e HML + is defined inductively as 
follows: 
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T = F Atef <t>i = Vie/ $ (a) = [a] <j) 

F = T Vie/ ^ = Aie/^ H = ( a )0 

Clearly, -i0 44> 0. Moreover, <j) = <p. The definition is extended to contexts by putting [] = []. We write 
C[] for CjJ. It is easy to see that C[0j = C[0]. 

Proposition 2 Given an image-finite LTS, s \= C[\J ieI <j>i\ if and only if s \= C[\f ieJ <j>i\ for some J C FIN /. 

Proof: s H C[V i€/ 0,- ] g; ^ C[V/e/<fc] * ^ C[A; G /&] * ^ C[Aie/&] for some 7 C FIN / 

(by Prop. [Tj 44> s ^ C[\f ieJ 0,-] for some 7 C FIN / ^ s \= C[\f ieJ 0,-] for some 7 C FIN /. □ 

Now we move to Hennessy-Milner logic with negation, HML. Contexts over this syntax are denoted 
by D[]. Each formula cp over this logic can be translated to an equivalent formula P((p) € HML + in a 
straightforward fashion: 

P(J) = T P(A ie i<Pi) = heiP(<Pi) 

P((a)q>) = (a)P((p) P(-,q>) = P((p) 

Clearly, (p 44> P((p). The definition is extended to contexts by putting P([]) = []. We write P(D)[] for 
P(D\\). 

For Hennessy-Milner logic with negation, we inductively define positive and negative contexts as 
follows. 

• [] is a positive context. 

• If D[] is a positive (resp. negative) context, then D[] A f\ ieI *Pi an ^ ( a )D[] are positive (resp. negative) 
contexts. 

• If D[] is a positive (resp. negative) context, then -iD[] is a negative (resp. positive) context. 

Lemma 1 P(D[q>]) = P(D)[P((p)] if D[] is a positive context, and P(D[(p}) = P(D)[P(<pj] if D[] is a 
negative context. 

Proof: We prove both statements simultaneously, by structural induction on D\\. The cases where D[] 
is of the form [], D'[] A f\ ieI % or (a)D'[] are straightforward and left to the reader. We focus on the key 
caseD[] = -nD'[]. 

First letDQ be positive, soD'[] is negative. ThenP^D'fp]) =P(D'[(p}) =P(D')[P((p)} (by induction) 

= PW)[W)] =PhD')[P( ( p)}. 

Next let D[ ] be negativ e, soD '[] is positive. ThenP(-.D'[p]) =P(D'[(p}) = P(D')[P((p)} (by induction) 
= P{D^[pJ^}=P^D')[P^)}. ' ' □ 

Now we can prove a counterpart of Prop. [T] and [2] for HML. 

Proposition 3 Given an image-finite LTS. 

1. If D\\ is a positive context, then s \= D[/\ ieI <p,] if and only if s \= D[/\ ieJ <p,-] for all J C FIN /. 

2. If D\\ is a negative context, then s \= D[/\ ieI <p ; ] if and only if s \= D[f\ ieJ <p ; ] for some J C FIN /. 
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Proof: If D[] is a positive context, then 

^D[A ie/ «p,] & sh^WW^D ^^h^(O)[A ie /^(<P0](byLem.[T) O 

* \= P(D) [/\ ieJ P((pd] for all J C FIN / (by Prop. [TJ ^ * |= P(D[/\ i€j %] ) for all J C FIN / (by Lem. [T) 

O 5 f= D[f\ ieJ cpt] for all / C FIN /. 

If D[] is a negative context, then 

s \= D[A ie/ 9] O *h ^[A/ez <Pi] ) ^ * H ^(O) [V ie /^(90] (by Lem. § & 

s \=P(D)[\/ ie jP((pi)} for some J C FIN / (by Prop.[2]> o s \=P(D[/\ ieJ 9,-]) for some / C FIN / (by Lem.[l} 
44> 5 |= D[f\ ieJ cpi] for some / C FIN /. □ 



2.3 Modal Characterizations 

A process semantics on LTSs can be captured by means of a sublogic of HML; see (H for a wide range 
of such modal characterizations. Given such a sublogic 0, two states in an LTS are equivalent if and 
only if they make true exactly the same formulas in 6 '. We denote this equivalence relation on states by 

We will prove that given such a modal characterization of a process semantics for general LTSs, 
restricting infinite conjunctions to their finite sub-conjunctions produces a modal characterization of the 
same semantics, on image-finite LTSs. The only requirement is that these finite sub-conjunctions are 
already present in the original modal characterization for general LTSs. 

We obtain a similar compactness result for modal characterizations of which the formulas may con- 
tain infinite conjunctions, but are all of finite depth. In this case only infinite conjunctions that have an 
infinite depth need to be restricted to their finite sub-conjunctions. Again, the original and the resulting 
modal characterization coincide, if the resulting formulas were already present in the original modal 
characterization. 

The modal characterizations in all satisfy this requirement, except for the one of completed trace 
semantics, in case of an infinite action set. Namely, the modal characterization of completed trace se- 
mantics, for general processes as well as for image-finite ones, is: 

<P :: = T I A ^( a ) J I ( a )9 

aeA 

where A denotes the set of all actions. 

Given a modal characterization &, we denote the sublogic of formulas in & that do not contain 
infinite conjunctions by G^m and the sublogic of formulas with finite depth with &fdp- Clearly &Ym ^ 



fdp- Using the results from Sect. 2.2 we can now prove the main theorem of this section. 



Theorem 1 Given an image-finite LTS, and & C HML. 

1. If for each D[/\ ieI 9,] G 6 with / infinite and d{f\ ieI <p ; ) = 00, D[/\ ieJ <p,] G G for all J C FIN /, then 
~^ and ~^ FDP coincide. 

2. If for each D[f\ ieI (pi] G with / infinite, D[/\ ieJ (pi] G & for all J C FIN /, then ~^ and ~^ F1N 
coincide. 



Proof: We will prove the theorem for the subset of finite formulas ^fin> and make remarks between 
square brackets about the version with i^fdp whenever it is necessary. Since &Ym Q ^fdp Q clearly 
r^ff C ~^ FDP C ~^ FIN . We need to show that [resp. ^fdp] can distinguish all states that 6 can. 
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Given states s,s' and a formula cp G 6 with s \= cp and / ^= (p. We will construct a formula in Gpm 
[resp. ^fdp] that distinguishes s and s'. We apply ordinal induction on the length A(<p) of the longest 
chain of nested infinite conjunctions [of infinite depth] in (p. That is, 



A(T) 
A((a)<p) 

A(-<p) 





A (9) 

l + sup{A(<p,) 

sup{A(<p,) | z G /} 
A(9) 



if / is infinite [and d(/\ ieI % 
otherwise 



The base case is trivial, because if A (<p) = 0, then cp G ^fin [resp. (p G ^fdp] ■ Now consider the inductive 
case, where A(<p) > 0. Let (p = D[/\ ieI (pi] with / [and d(f\ ieI (pj)] infinite, where this occurrence of an 
infinite conjunction [and depth] in (p is outermost, in the sense that it does not occur within any infinite 
conjunction [of infinite depth]. We distinguish two cases. 

• D[] is a positive context. By Prop. [3jl, s' ty= <p implies that s' ^ D[/\ ieJo <p,] for some Jo G FIN /, 
while s\= (p implies that s \= D[/\ ieJo (pi\. 

• D[] is a negative context. By Prop. [5]2, s \= (p implies that s \= D[/\ iejQ <p ; ] for some Jo G FIN /, 
while y= (p implies that s' ty= D[/\ ieJo <p,]. 

In both cases, by assumption, D[f\ ieJo <p,] G 6 '. 

Clearly, there are only finitely many outermost occurrences of infinite conjunctions [of infinite depth] 
in (p. Using the construction above, these can all be replaced by finite conjunctions, to obtain a formula 
\j/ G G that distinguishes s and s'. Since A(i//) < A((p), by ordinal induction, we can construct a formula 
in ^fin [resp. ^fdp] that distinguishes s and s'. □ 

It is easy to see that the requirement in Thm. [Tjthat D[f\ ieJ <p,] G & for all J G FIN / cannot be omitted. 
For instance, let 6 consist of a single formula with an infinite conjunction, Aneni )"^ (with (a)°(p = (p 
and (a) n+l (p = (a)((a)"(p)). Then i^fin = 0, so ~^ FIN is the universal relation. On the other hand, & 
distinguishes an a-cycle from a deadlock state. 

The following example, taken from Q, shows that Thm. [T] fails for LTSs that are not image-finite. 
Consider an LTS that consists of finite a-traces of arbitrary length, and an LTS that on top of this exhibits 
an infinite a-trace. 



7\ 





Let O = {(a)(A neN {a) n T) \ N C N}. Then ^ F in = {{a)(/\ neN {a) n J) \ N C FIN N}. Clearly, G distin- 
guishes the top states of the two LTSs above, by means of any formula (a)(A;!eAf( a )"~0 w i tn N infinite. 
Namely, such a formula holds for the top state at the right, but not for the top state at the left. However, 
i^fin does not distinguish these states; all formulas in ^fin hold for both states. 

Goldblatt [7] and Hollenberg [10] (see also [4]) investigated models that are more general than image- 
finite LTSs, but that do have the Hennessy-Milner property. That is, models where the modal equivalence 
~#ml coincides with bisimulation equivalence. This led to the notion of modally saturated processes; an 
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LTS is M-saturated if for all states s and all & C HML, whenever every finite subset of ff is satisfied in 
some a-successor of s, then there exists an a-successor of s in which is satisfied. It is not difficult to 
prove, with ordinal induction on the structure of formulas, that Thm. [T]holds for M-saturated models as 
well. 

3 Approximation Induction Principle 

For each natural number n we define a projection operator % n which mimicks the behaviour of its argu- 
ment up to n steps and then terminates. The behaviour of an application of the projection operator to a 
process (or state) is given by the following rule scheme: 



K n+ i(x)-^7C n (x') 

The Approximation Induction Principle (AIP) states that if two processes are equal up to any finite depth, 
then the processes themselves are equal. 

(AIP) If n n (x) = 7t„(y) for all n G N, then x = y. 
3.1 Sufficient Criterion for Soundness of AIP 

In [H it is stated that AIP is sound for all 1 1 "strong" equivalences from [6 ], but no argument is provided. 
Soundness of AIP has been proved several times for bisimulation equivalence (e.g. Q) in the setting of 
finitely branching or image-finite processes. The standard technique is to prove that a relation identifying 
two processes if and only if all of their projections are bisimilar is a bisimulation (provided that one of 
the processes is image-finite). A different proof has been presented in 0. Given two processes p and 
q the authors consider, for all n£N, the bisimulations between 7l n (p) and 7t n (q). Bisimulations for n-th 
projection are linked with those bisimulations for («+l)-th projection in which they are included. This 
way an infinite, finitely branching tree is constructed. The bisimulation between p and q is a sum of 
bisimulations lying on an infinite path in the tree. 

We present a general proof of soundness of AIP in a different way for a range of equivalences, 
using properties of modal languages that define an equivalence. Namely, AIP is sound for all process 
equivalences that can be defined using modal characterizations within HMLfdp- The crucial part of the 
proof is the following lemma which states that if a finite-depth formula is satisfied by a process, then it 
is satisfied by almost all of its projections. 

Lemma 2 Given any LTS, for all states s and cp G HMLfdp- 

s \= cp 44> V« > d((p) n n (s) \= cp 

Proof: Let s be an arbitrary state. We will proceed with induction on the complexity of a formula, de- 
fined by: 

|T| = 1 |(a)p| = l + |«p| | /\<p ; | = l+sup{|<p ; | | |-.<p| = l + |p| 

iei 

"=>": The base is trivial (cp = T). Let (p be a formula such that s \= cp, and suppose that for all s' and for 
all y with | Vl < l<Pl> ^ H Y implies that y is satisfied by all projections 7i n (s') for n>d(y). There are 
three possible cases: 
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• (P = (a)W 

Then 3q: s — ► q Aq \= y with q \= y. From the induction hypothesis we obtain: Vn > d{y) 7i n (q) \= 
y. Since 7l„(s) A n n -\(q) for n > 1, we have: Vn > d(y) + 1 7i;„(V) |= (a)y, so Vn > d((a)y) 
n n (s) \= (a)y 

• <P = AielYi 

Then Vi G /s |= y. By induction, this implies: V/ G / Vn > rf(Vi) 7Tn(*) |= Vi- Therefore Vn > 
max ie i{d(y)}, Vi G / |= y>i. By definition d(/\ ieI y) = max ieI {d(y)}, so Vn > d(f\ ia yi) 
x n {s) HAie/V/- 

We have to consider all the subcases, depending on i/a: 

- y = T: this is impossible (it would mean that s \£ T which is never true). 

- y = (a)y 1 : Then W : s A s' we have |= -ii/. By induction Vj' : J A j' we have Vn > d(-^y') 
Kn(s') \= ~^y' ■ Therefore Vn > d(^y') + 1 7T„(j) |= ~^(a)y', and thus Vn > d(y^) ^(j) |= -^(a)y'. 

- y = AieiYi'- Then 3/o G / : s \= _, V / i - By induction, Vn > d(->yi ): 7i„(s) \= ->yi , and so 
Vn > d((p)n„(s) \= -i f\ ieI yi, which is the desired statement. 

- y = -i\f/: This is immediate (in this case q> is equivalent to y'). 

"<^=": The other direction follows immediately from what we have just proven. Take an arbitrary formula 
cp G G and a state s such that Vn > d{(p) n„(s) \= (p. Suppose towards a contradiction that s ^ (p. Then 
s \= -i<p, and it was already proven that this implies Vn > d(->(p) 7l„(s) \= ->(p. This contradicts our 
assumptions. Therefore s must satisfy (p. □ 

Theorem 2 If 6 C HML FDP , then AIP is sound for 

Proof: We need to show that Vn £N(n n (s) ~^ n n (q)) =>■ 5 Suppose that Vn £N(n n (s) 
We have to prove that ^(j) = In fact it suffices to prove that ^(j) C <^(g), the proof of the other 

inclusion is symmetric. Take any cp G 0{s). According to the Lemma[2j Vn > d((p) (p G &(n n (s)) = 
&{n n {q)). Using the same lemma again we obtain <p G &{q)- □ 
In view of the results from the previous section, we obtain the following sufficient condition for the 
soundness of AIP in the setting of image-finite LTSs. 

Corollary 1 Let & C //ML. Suppose that for each D[/\ ieI (pj\ G 6 with / infinite and d(/\ ieI (pi) = 
oo, D[f\ ieJ cpi] G & for all J G FIN /. Then AIP is sound for ~^ in the setting of image-finite processes. 

Proof: If G meets the above requirements, then according to Thm.[T]2 ~^=~^', where 6' G HMLppp- 
By Thm. [2] AIP is sound for ~ e . □ 

Corollary 2 AIP is sound with respect to all the basic process equivalences on image-finite processes, 
namely trace, completed trace, failures, readiness, failure trace, ready trace, ready simulation, n-nested 
simulation in > 1), bisimulation. 

Proof: As pointed in fl6], all the above equivalences with the exception of completed trace can be defined 
with a sublogic of Hennessy-Milner logic consisting of finite formulas. Moreover, all formulas in the 
modal language corresponding to completed trace equivalence are finite-depth. □ 

Soundness of AIP does not necessarily imply that the equivalence in question is definable with a 
sublogic of HMLfdp- Observe first that having a fixed set of actions A, for any formula (p G HML we 
can express an ACTL formula Eq> ("there exists an execution path to a state in which cp holds") with a 
single formula from HML. Indeed, for any (p G HML the formula Vctga* a( P * s equivalent to E(p. Now 
consider an equivalence relating two processes according to whether action a can be executed in at least 
one execution path (that is, if E((a)T) is satisfied). It is easy to observe that AIP is sound for this 
equivalence, but it cannot be defined with a sublogic of HMLpop- 
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3.2 Necessary Criterion for Soundness of AIP 

In this section we consider only those equivalences which are compositional w.r.t. projection operators 
(this includes all the equivalences mentioned in Corollary [2]) . We will prove that in this class, definability 
of an equivalence with finite-depth formulas is also a necessary condition for the soundness of AIP. 

First we define for each q> G HML a corresponding formula cut n (cp) G HMLpp,p in which every sub- 
formula of the form (a) y appearing at depth n is replaced with F. The functions cut n : HML — > HMLpp>p 
for n G N are defined inductively as follows: 

cut n (T) = T cuto((a)(p) = F cut n (^q>) = ~^cut„((p) 

cut n (f\ ieI (p^ = f\ ieI cut n {(pi) cut n+l ({a)(p) = {a)cut n ((p) 

We now prove a key property for cut functions. 

Lemma 3 Given any LTS. For all states s, (p G HML and n G N: 

(CT) Tin 0) |= 9 & S \= CUt n {<p) 

Proof: We prove CT by induction on the structure of (p. 

• (p = T: 

7i„(s) \= T and s \= cut n (J) = T. 

• <p = (a)y. Now we distinguish cases where n = and n > 0. 
Clearly Kq(s) y= {a} y and s \/= cuto{(a)y) = F. 

If n > 0, then K n {s) \= (a)\j/ 45 3/ : s A s' A7T„_i (s 1 ) \= y (transition rules for 7r„_ 453s' : s A s' 
A s' |= cut n -\{y) (structural induction) 45 s \= {a)cut n -\{y) 45 s \= cut n {{a)y) (definition of 
cut) 

• <P = AieiW 

Xn{s) \= AieiWi 45 Vie I 7i n (s) \= Yi 45 Vi G / s \= cut n (\p~i) (structural induction) 45 s \= 
cut n {f\ ieI \p'i) (definition of cut) 

• (p = 

K n {s) H -'V ^ ^ V ^ 5 V= cut n (Y) (structural induction) 45 s \= -^cut n {y) 45 s \= 
cut n (-i\j/) (definition of cut) 

□ 

Theorem 3 Suppose ~^ is a process equivalence induced by some 6 C HML and compositional w.r.t. 
all projection operators n n . AIP is sound for if and only if can be defined with some G\ C 

Proof: "<£=": That definability of an equivalence with a sublogic of HMLpop implies soundness of AIP 
has been already proven in Thm. [2] 

"=>": We have to prove that soundness of AIP implies 3&\ C HMLpp,p : s g 44> s ~<f, g. The desired 

is constructed by applying the cut n functions to formulas from 6: G\ = \J ne ^{cut n ((p) \ (p G 
We have: 

s ~^ q 45\/n e N(7T„(.y) ^n(^)) (soundness of AIP for ~^ & compositionality w.r.t. projection) 

44> V« G N(V<p G ^ 7T„(j) |= <p 44> 7r„(<?) |= <p) 

45 Vn G N(V<p £^j|= cut n {(p) 45 q \=cut n ((p)) (Lem.[3]) 
45\/ne N(Vy/- e^i|=i|/^^i|/) (def. of <^i) 

44> Vn G N (7T„0) 7T„(<7)) ^ j ~^ ^ □ 
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